Read this online at https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
Today, we are publishing the 1.4.2 and 1.0.8 security patch versions. The release files for the patch versions are available for download on the ClamAV downloads page<https://www.clamav.net/downloads>, on the GitHub Release page<https://github.com/Cisco-Talos/clamav/releases>, and through Docker Hub<https://hub.docker.com/r/clamav/clamav/>. The images on Docker Hub may not be immediately available on release day. Continue reading to learn what changed in each version. 1.4.2 ClamAV 1.4.2 is a patch release with the following fixes: * CVE-2025-20128<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20128>: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. This issue was introduced in version 1.0.0 and affects all currently supported versions. It will be fixed in: 1.4.2 and 1.0.8 Thank you to OSS-Fuzz for identifying this issue. 1.0.8 ClamAV 1.0.8 is a patch release with the following fixes: * CVE-2025-20128<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20128>: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. This issue was introduced in version 1.0.0 and affects all currently supported versions. It will be fixed in: 1.4.2 and 1.0.8 Thank you to OSS-Fuzz for identifying this issue. * ClamOnAcc: Fixed an infinite loop when a watched directory does not exist. This is a backport of a fix from ClamAV 1.3.0. * GitHub pull request<https://github.com/Cisco-Talos/clamav/pull/1426> Micah Snyder (they/them) ClamAV Development Talos Cisco Systems, Inc.
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat